ipsec: fix edge case detection in key_do_getnewspi

The 'count' variable would end up being -1 post loop, while the
following condition would check for 0 instead.

PR:		258849
Reported by:	Herbie.Robinson@stratus.com
Reviewed by:	ae
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D32826

1 files changed, 6 insertions, 5 deletions

diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 72c598586d8e..48de29305b3c 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -5019,7 +5019,7 @@ static uint32_t
 key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx)
 {
 	uint32_t min, max, newspi, t;
-	int count = V_key_spi_trycnt;
+	int tries, limit;
 
 	/* set spi range to allocate */
 	if (spirange != NULL) {
@@ -5047,21 +5047,22 @@ key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx)
 			return 0;
 		}
 
-		count--; /* taking one cost. */
+		tries = 1;
 		newspi = min;
 	} else {
 		/* init SPI */
 		newspi = 0;
 
+		limit = atomic_load_int(&V_key_spi_trycnt);
 		/* when requesting to allocate spi ranged */
-		while (count--) {
+		for (tries = 0; tries < limit; tries++) {
 			/* generate pseudo-random SPI value ranged. */
 			newspi = min + (key_random() % (max - min + 1));
 			if (!key_checkspidup(htonl(newspi)))
 				break;
 		}
 
-		if (count == 0 || newspi == 0) {
+		if (tries == limit || newspi == 0) {
 			ipseclog((LOG_DEBUG,
 			    "%s: failed to allocate SPI.\n", __func__));
 			return 0;
@@ -5070,7 +5071,7 @@ key_do_getnewspi(struct sadb_spirange *spirange, struct secasindex *saidx)
 
 	/* statistics */
 	keystat.getspi_count =
-	    (keystat.getspi_count + V_key_spi_trycnt - count) / 2;
+	    (keystat.getspi_count + tries) / 2;
 
 	return (htonl(newspi));
 }